Congressional Committee Revives Data Security Legislation

A House committee has revived data security legislation that has languished for the last several years. The legislation could provide some useful safeguards for the privacy and security of consumer data, but the incremental nature of the potential gains highlights the need for general baseline privacy legislation. Key members of the same committee have expressed their intention to work on such general legislation as well.

1) Congressional Committee Revives Data Security Legislation

A House committee has revived data security legislation that has languished for the last several years. The legislation could provide some useful safeguards for the privacy and security of consumer data, but the incremental nature of the potential gains highlights the need for general baseline privacy legislation. Key members of the same committee have expressed their intention to work on such general legislation as well.

In early May, Congressman Bobby Rush, the Chairman of the House Energy and Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection, joined several colleagues in introducing and holding a hearing on the Data Accountability and Trust Act, H.R. 2221. The bill had been the focus of considerable effort in the 109th Congress (2005-2006), when it was approved unanimously by the Energy and Commerce Committee and was one of a number of bills vying for congressional attention in the wake of the major ChoicePoint data breach in 2005. It was reintroduced in the 110th Congress (2007-2008) but received little legislative attention.

Like most federal data security bills proposed since 2005, H.R. 2221 would set a consistent, nationwide requirement for businesses to notify affected individuals when a breach of data security results in unauthorized parties gaining access to their personal data. The bill also would require entities that electronically store personal information to implement reasonable procedures to protect against security risks, similar to the procedural requirements currently in place for financial institutions under the Gramm-Leach-Bliley Act (GLB). Finally, the bill contains some special requirements for “information brokers.” These provisions would require entities in the business of collecting and selling data about users to third parties who are not necessarily customers to submit to security audits in the event of a data breach; verify the accuracy of the personal data in which it trades; and, importantly, to allow consumers to review what is in their individual data files.

CDT participated in the May 5 hearing examining the bill. (The hearing also examined H.R. 1319, the Informed P2P User Act, so CDT’s testimony discussed that bill as well.)

2) Bill’s Benefits Stem from Provisions Other than Notification

The breach notification provisions in the H.R. 2221 are much better than some that have been proposed in other federal legislation in the past. (For example, see this link.) CDT’s testimony suggested improving the bill’s notification regime by including a provision stating that when a company refrains from notifying individuals based on its judgment that the breach poses no serious risk, the company must still submit a brief written explanation of the incident to a regulatory body such as the FTC. This would help protect against the possibility of a company simply assuming away risks in order to avoid notification.

It is important to keep in mind, however, that all but a few states have enacted data breach laws. As a result, companies today already notify affected individuals in the event of a breach. From a consumer perspective, therefore, a federal notification standard for corporate data breaches does not offer much tangible progress over the status quo. Indeed, because H.R. 2221 and other federal notification bills propose to preempt state laws in this area, any federal notification regime that is less effective than those currently in place at the state level would amount to a step backward. To be of real benefit to consumers, data security legislation must include both a solid notification regime and some additional protections other than notification.

CDT has previously offered recommendations for a range of protections that could be included in a data security bill (see link below); H.R. 2221 contains potentially useful provisions in two of these areas. First, the bill would require security safeguards modeled on the existing GLB regime for the financial services sector. These provisions do not specify the particular security measures each company should adopt, but rather would require each company to have a formal process for evaluating its data security risks and adopting a plan to address them.

Second, the provisions requiring information brokers (defined as entities in the business of distributing personal information about people who are not the entities’ customers) to allow consumers to review what is in their individual data files and point out errors could turn out to be the bill’s most significant gain for consumers. For example, if an innocent person finds his or her transactions are wrongly getting flagged as posing fraud risks, he or she could try to investigate and challenge the mistaken data that is causing the problem. An access and correction regime is well established under the Fair Credit Reporting Act and CDT supports the idea of establishing similar consumer access rights with respect to additional companies that aggregate and sell personal data.

3) General Baseline Privacy Legislation Needed

Allowing consumers to review their data files and having sound practices to protect against and respond to data breaches are among the custodial obligations that should apply to those who collect, use, and store personally identifiable information. But it is important to recognize that H.R. 2221, like prior bills aimed at data security and breach notification, addresses only part of a broader puzzle.

The common background to bills in this general area is that technology has created powerful new ways to gather, sort, store, analyze, locate, correlate, and disseminate data. This enables increasingly intensive use of personal data, which offers many benefits but also raises a host of privacy challenges. Most users have only a limited understanding of the multiple ways their data is used and shared in today’s data economy. Data security breaches and identity theft have become all too frequent, and consumers are concerned that they lack control over their personal information.

Despite the unprecedented challenges to privacy in the modern environment, the United States still has no comprehensive law that spells out consumers’ privacy rights in the commercial marketplace. Instead, a confusing patchwork of distinct standards has developed over the years, with highly uneven results and many gaps in coverage.

While bills like H.R. 2221 target real problems, therefore, ideally those problems could be addressed in the context of broader privacy legislation. Such legislation would create a single, consistent regime of baseline privacy standards and provide guidance as new privacy questions arise over time. Legislation would be based on the “Fair Information Practices,” a set of principles that date back several decades and have been widely acknowledged as the cornerstone of privacy protection.

CDT has long advocated such legislation and influential Members of Congress appear ready to put it on the agenda. Congressmen Rush and Rick Boucher have said they intend for their respective subcommittees of the House Energy and Commerce Committee to hold a joint hearing on the subject and to begin work on a bill.

Meanwhile, H.R. 2221 faces a challenge that has stymied previous data security bills: overlapping committee jurisdiction. Past bills have been approved by individual committees but have failed to advance further due to difficulty in resolving differences between competing bills from different committees.

Congress did recently enact detailed federal data breach notification requirements pertaining specifically to health information, as part of a health privacy package in the 2009 economic stimulus legislation. Rulemakings to flesh out those requirements are currently pending. In addition, the general topic of cybersecurity is receiving a high degree of congressional attention, which could provide avenues for considering measures related to data breaches and data security.